# Randomized Consensus with Regular Registers

Vassos Hadzilacos<sup>1</sup>, Xing Hu<sup>1</sup>, and Sam Toueg<sup>1</sup>

<sup>1</sup>Department of Computer Science, University of Toronto

June 15, 2020

#### Abstract

The well-known randomized consensus algorithm by Aspnes and Herlihy [1] for asynchronous shared-memory systems was proved to work, even against a strong adversary, under the assumption that the registers that it uses are *atomic* registers. With atomic registers every read or write operation is *instantaneous* (and thus indivisible). As pointed out in [2], however, a randomized algorithm that works with atomic registers does not necessarily work if we replace the atomic registers that it uses with linearizable implementations of registers.

This raises the following question: does the randomized consensus algorithm by Aspnes and Herlihy still work against a strong adversary if we replace its atomic registers with linearizable registers?

We show that the answer is affermative, in fact we show that even linearizable registers are not necessary. More precisely, we prove that the algorithm by Aspnes and Herlihy works against a strong adversary even if the algorithm uses only *regular* registers.

### 1 Introduction

In the *consensus problem*, each process *proposes* some value and must *decide* a value such that the following properties hold:

- Validity: If a process decides a value v then some process proposes v.
- Agreement: No two processes decide different values.
- Termination: Every non-faulty process eventually decides a value.

This problem cannot be solved in asynchronous shared-memory systems with process crashes [4], but there are *randomized* algorithms that solve a weaker version of the consensus problem that requires Termination "only" with probability 1. In particular, the well-known randomized consensus algorithm by Aspnes and Herlihy [1] for shared-memory systems was proved to work, even against a strong adversary and with any number of process crashes, under the assumption that the registers that it uses are *atomic* Single-Writer Multiple-Reader (SWMR) registers. With atomic registers every read or write operation is *instantaneous* (and thus indivisible).

As pointed out in [2], however, a randomized algorithm that works with atomic registers does not necessarily work (i.e., it may lose some of its properties, including termination) if we replace the atomic registers that it uses with *linearizable (implementations of) registers*,<sup>1</sup> intuitively, this is because a strong adversary can exploit a weakness in the linearizability requirement to break some properties of the algorithm. If, however, we replace the algorithm's atomic registers with *strongly* linearizable (implementations of) *registers*, then the algorithm is guaranteed to retain its original properties [2]. This leads to the following natural question: does the randomized consensus algorithm by Aspnes and Herlihy still work against a strong adversary if we replace the atomic registers that it uses with linearizable registers, or does it require strongly linearizable registers?

<sup>&</sup>lt;sup>1</sup>Roughly speaking, an object (implementation) is linearizable [3] if, although each object operation spans an interval between its invocation and its response, and so operations can be *concurrent*, operations behave as if they occur in a sequential order (called "linearization order") that is consistent with the order in which operations actually occur: if an operation o completes before another operation o' starts, then o precedes o' in the linearization order.

*Prima facie*, it appears that this algorithm requires strongly linearizable registers to work. This is because, as we explain in the Appendix, the proof given in [1] that the algorithm terminates with probability 1 relies on the fact that the algorithm's registers are atomic: this proof does *not* work with (non-atomic) linearizable registers.

We show here that strong linearizability is not necessary for this algorithm to work. In fact, we show the perhaps surprising result that even linearizable registers are not necessary. More precisely, we prove that the algorithm works against a strong adversary even if the algorithm uses only *regular* SWMR registers.

# 2 Regular registers

Each read or write operation on a non-atomic register (such as a regular register) spans an interval that starts with an *invocation* and terminates with a *response*.

**Definition 1.** Let o and o' be any two register operations.

- o precedes o' if the response of o occurs before the invocation of o'.
- o is concurrent with o' if neither precedes the other.

**Definition 2.** A register initialized to some value  $v_0$  is a regular register if and only if it satisfies the following property. If the response of a read operation r returns the value v then:

- 1. there is a write v operation that immediately precedes r or is concurrent with r, or
- 2. no write operation precedes r and  $v = v_0$ .

Note that regular registers are *not* linearizable registers because they allow "new-old inversions": two consecutive read operations that are concurrent with a write operation can be such that the first read returns the new value of the register, while the second read returns the old value.

# 3 Aspnes and Herlihy's algorithm works with regular registers

In the algorithm by Aspnes and Herlihy (shown in Algorithm 1), every process p now has a regular SWMR register R[p] that p can write and every process can read. The register R[p] contains a pair (prefer, round): R[p].prefer is either a value in  $\{0, 1\}$  that process p currently "prefers" (and will eventually be the value that p decides), or the special symbol  $\perp$  (which indicates that p is temporarily "paused"); R[p].round is a counter that increases in each iteration (except for each iteration where p is paused, i.e., R[p].prefer is  $\perp$ ).

At the beginning of the algorithm, each process p sets R[p] to contain the pair (v, 1), where v is the value that p proposes. The process then enters a loop in which it first reads the registers of all processes, and based on what it reads it determines whether to decide and, if not, how to update its register. Given the values of the registers that a process p reads at the start of each iteration, the following terms are used in the description of the algorithm and its proof:

#### Definition 3.

- A process p is a leader if R[p].round  $\geq R[j]$ .round for every process j.
- A process q agrees with p if R[p].prefer = R[q].prefer  $\neq \perp$ .
- A process q agrees with p on some value v if  $v \neq \perp$  and R[p].prefer = R[q].prefer = v.
- A process q trails p by at least 2 rounds if R[p].round  $\geq R[q]$ .round + 2.

Unless we indicate otherwise, henceforth we consider an arbitrary execution of Algorithm 1. In the following we say that a process *crashes* if it does not halt but takes finitely many steps, and a process is *correct* if it does not crash.

#### Algorithm 1 Aspnes and Herlihy's Randomized Consensus Algorithm

For each process  $p \in \Pi$ : R[p] is a shared regular SWMR register that p can write and every process can read; initially  $R[p] = (\perp, 0)$ 

|               | v 1                                                                        |                                                                        |
|---------------|----------------------------------------------------------------------------|------------------------------------------------------------------------|
| CONSENSUS(v): |                                                                            | $\triangleright$ code executed by process $p$ to propose the value $v$ |
| 1:            | $R[p] \leftarrow (v, 1)$                                                   | $\triangleright$ WRITE $(v, 1)$                                        |
| 2:            | while true do                                                              |                                                                        |
| 3:            | read all registers $R[*]$                                                  |                                                                        |
| 4:            | $(x,r) \leftarrow R[p]$                                                    | $\triangleright x \in \{0, 1, \bot\}$                                  |
| 5:            | if I'm a leader and all who disagree (with me) trail by at least 2 rounds: |                                                                        |
| 6:            | decide $x$ and halt                                                        | $\triangleright \; x \in \{0,1\}$                                      |
| 7:            | else if leaders agree on som                                               | e value $v^*$ :                                                        |
| 8:            | $R[p] \leftarrow (v^*, r+1)$                                               | $\triangleright$ WRITE $(v^*, r+1)$                                    |
| 9:            | else if $x \neq \bot$ :                                                    |                                                                        |
| 10:           | $R[p] \leftarrow (\bot, r)$                                                | $ ho \operatorname{WRITE}(\bot, r)$                                    |
| 11:           | else:                                                                      |                                                                        |
| 12:           | $R[p] \leftarrow (\mathrm{flip}(), r+1)$                                   | $\triangleright$ WRITE(flip(), $r + 1$ )                               |

#### Notation 4.

- A process q invokes WRITE(x, y), if q invokes an operation to write (x, y) into register R[q].
- v and  $\bar{v}$  are values in  $\{0,1\}$  such that  $\bar{v} = 1 v$ .

**Observation 5.** For every round  $r \ge 1$ :

- (a) If a process invokes WRITE(x, r) then  $x \in \{0, 1, \bot\}$ .
- (b) For all  $x \in \{0, 1, \bot\}$ , a process invokes WRITE(x, r) at most once.
- (c) No process invokes both WRITE(0, r) and WRITE(1, r).
- (d) If a process invokes WRITE(-, r) before it invokes WRITE(-, r') for some r' then  $r \leq r'$ .
- (e) If a process invokes  $WRITE(\bot, r)$ , then it invokes WRITE(v, r) for some  $v \in \{0, 1\}$  before it invokes  $WRITE(\bot, r)$ .

**Lemma 6.** For all  $r \ge 1$ , if a process p invokes WRITE(v, r) and then invokes  $WRITE(\bar{v}, r+1)$ , then some process  $q \ne p$  invokes  $WRITE(\bar{v}, r')$  with  $r' \ge r$  before p invokes  $WRITE(\bar{v}, r+1)$ .

*Proof.* Let  $r \ge 1$  and suppose a process p invokes WRITE(v, r) and then invokes  $WRITE(\bar{v}, r+1)$ . Consider the while iteration in which p invokes  $WRITE(\bar{v}, r+1)$ . Note that p completes its WRITE(v, r) operation before it reads the registers R[-] in line 3 of that iteration. Thus, since R[p] is a regular register, p reads (-, r) from R[p] in line 3.

Let r' be the round of the leaders that p sees in line 3, i.e., p reads (-, r') from the register of every leader in line 3. Since p reads (-, r) from R[p], by the definition of leaders,  $r' \ge r$ .

**Claim 6.1.** p reads either  $(\bar{v}, r')$  or  $(\bot, r')$  from the register  $R[\ell]$  of some leader  $\ell$ .

*Proof.* Note that p invokes  $WRITE(\bar{v}, r+1)$  by executing either line 8 or line 12.

- Case 1: If p executes line 8, then by the condition of line 7, p must have seen that the leaders agree on  $\bar{v}$ , so, p reads  $(\bar{v}, r')$  from all the leaders.
- Case 2: if p executes line 12, then, by the condition of line 7, it must have seen that the leaders do not agree. So, either p reads  $(\perp, r')$  from the register of at least one leader, or p reads both (v, r') and  $(\bar{v}, r')$  from the registers of some leaders.

So in both cases the claim holds.

Since  $R[\ell]$  is a regular register, by Claim 6.1,  $\ell$  invokes  $\text{WRITE}(\bar{v}, r')$  or  $\text{WRITE}(\bot, r')$  before p completes reading  $R[\ell]$ . So  $\ell$  invokes  $\text{WRITE}(\bar{v}, r')$  or  $\text{WRITE}(\bot, r')$  before p invokes  $\text{WRITE}(\bar{v}, r+1)$ .

**Case 1:**  $\ell$  invokes WRITE $(\bar{v}, r')$  before p invokes WRITE $(\bar{v}, r+1)$ . We claim that  $\ell \neq p$ . Suppose for contradiction that  $\ell = p$ . Since p invokes WRITE $(\bar{v}, r')$  before p invokes WRITE $(\bar{v}, r+1)$ , and  $r' \geq r$ , by Observation 5(b) and (d), r' = r. So p invokes both invokes WRITE $(\bar{v}, r)$  and WRITE(v, r) — a contradiction to Observation 5(c). Since  $\ell$  invokes WRITE $(\bar{v}, r')$  before p invokes WRITE $(\bar{v}, r+1)$  and  $\ell \neq p$ , the lemma holds for  $q = \ell$ .

**Case 2:**  $\ell$  invokes WRITE $(\perp, r')$  before p invokes WRITE $(\bar{v}, r+1)$ . Let f be the *first* process that invokes WRITE $(\perp, r')$ ; recall that  $r' \geq r$ . Note that f invokes WRITE $(\perp, r')$  in line 10 of some while iteration. Let  $r^*$  be the round of the leaders that f sees in line 3, i.e., f reads  $(-, r^*)$  from the register of every leader in line 3 of that iteration. Since f invokes WRITE $(\perp, r')$  in line 10, f reads (-, r') from R[f] in line 3. So, by definition of leaders, the leaders that f sees in line 3 have  $r^* \geq r'$ ; since  $r' \geq r$ , we have  $r^* \geq r$ .

Note that f does not read  $(\bot, r^*)$  from any leader's register in line 3: this is because, since the shared registers are regular, that leader would have invoked WRITE $(\bot, r^*)$  with  $r^* \ge r$  before f invokes WRITE $(\bot, r')$  with  $r' \ge r$  — contradicting the definition of f.

Since f invokes WRITE $(\perp, r')$  in line 10, by the condition of line 7, f sees that the leaders do not agree. Since f does not read  $(\perp, r^*)$  from any leader's register in line 3 but it sees that the leaders do not agree, f must read both  $(v, r^*)$  and  $(\bar{v}, r^*)$  from some leaders' registers. Let q be a leader such that f reads  $(\bar{v}, r^*)$  from R[q] in line 3. Since R[q] is a regular register, q invokes WRITE $(\bar{v}, r^*)$  before f completes the reading of R[q]. Thus, q invokes WRITE $(\bar{v}, r^*)$  before f invokes WRITE $(\perp, r')$  in line 10. By the choice of f, q invokes WRITE $(\bar{v}, r^*)$  before  $\ell$  invokes WRITE $(\perp, r')$ . So, by the hypothesis of Case 2, q invokes WRITE $(\bar{v}, r^*)$  before p invokes WRITE $(\bar{v}, r+1)$ . Note that  $q \neq p$  (the proof is the same as the proof of  $\ell \neq p$  in Case 1). Thus, since  $r^* \geq r$ , the lemma holds for  $r' = r^*$ .

The next lemma generalizes Lemma 6.

**Lemma 7.** For all  $r \ge 1$ , if a process p invokes WRITE(v, r) before it invokes  $\text{WRITE}(\bar{v}, r')$  with r' > r, then some process  $q \ne p$  invokes  $\text{WRITE}(\bar{v}, r'')$  with  $r'' \ge r$  before p invokes  $\text{WRITE}(\bar{v}, r')$ .

Proof. Let  $r \ge 1$  and suppose a process p invokes  $\operatorname{WRITE}(v, r)$  and then invokes  $\operatorname{WRITE}(\bar{v}, r')$  with r' > r. From Observation 5(e), for every round  $j, r \le j \le r', p$  invokes  $\operatorname{WRITE}(v, j)$  or  $\operatorname{WRITE}(\bar{v}, j)$ . So there is a round  $\hat{r}, r \le \hat{r} < r'$ , such that p invokes  $\operatorname{WRITE}(v, \hat{r})$  and then invokes  $\operatorname{WRITE}(\bar{v}, \hat{r}+1)$ . By Lemma 6, some process  $q \ne p$  invokes  $\operatorname{WRITE}(\bar{v}, r'')$  with  $r'' \ge \hat{r}$  before p invokes  $\operatorname{WRITE}(\bar{v}, \hat{r}+1)$ . Since  $\hat{r} \ge r, r'' \ge r$ , and since  $\hat{r} < r', p$  invokes  $\operatorname{WRITE}(\bar{v}, \hat{r}+1)$  no later than when it invokes  $\operatorname{WRITE}(\bar{v}, r')$ . So  $q \ne p$  and q invokes  $\operatorname{WRITE}(\bar{v}, r'')$  with  $r'' \ge r$  before p invokes  $\operatorname{WRITE}(\bar{v}, r')$ .

**Lemma 8.** For all  $r \ge 1$ , if no process invokes WRITE $(\bar{v}, r)$  by some time in the execution of the algorithm, no process invokes WRITE $(\bar{v}, r')$  for any  $r' \ge r$  by that time.

*Proof.* Assume, for contradiction, there is a round  $r \ge 1$  and a time t such that no process invokes WRITE $(\bar{v}, r)$  by time t, but some processes invoke WRITE $(\bar{v}, r')$  with  $r' \ge r$  by time t. Let p be the first process that invokes WRITE $(\bar{v}, r')$  with  $r' \ge r$ ; this must occur by time t. Since no process invokes WRITE $(\bar{v}, r)$  by time t, r' > r. Note that p invokes WRITE(-, r) before p invokes WRITE $(\bar{v}, r')$ . So, by Observation 5(e), p invokes WRITE $(\bar{v}, r)$  with a value  $w \in \{v, \bar{v}\}$  before it invokes WRITE $(\bar{v}, r')$  by time t. Since no process invokes WRITE $(\bar{v}, r)$  by time t, w = v. By Lemma 7, some process  $q \neq p$  invokes WRITE $(\bar{v}, r')$  with  $r'' \ge r$  before p invokes WRITE $(\bar{v}, r')$  — a contradiction since p is the first process that invokes WRITE $(\bar{v}, r')$  with  $r' \ge r$  by time t.

We now prove a similar lemma for the special value  $\perp$ .

**Lemma 9.** For all  $r \ge 1$ , if no process invokes WRITE $(\bar{v}, r)$  by some time in the execution of the algorithm, no process invokes WRITE $(\perp, r')$  for any  $r' \ge r$  by that time.

*Proof.* Assume, for contradiction, there is a round  $r \ge 1$  and a time t such that no process invokes WRITE $(\bar{v}, r)$  by time t, but some process invokes WRITE $(\bot, r')$  with  $r' \ge r$  by time t. Let p be the *first* process that invokes WRITE $(\bot, r')$  with  $r' \ge r$  by time t. Note that p does so in line 10 for some while iteration. Let r'' be the round of the leaders that p sees in line 3, i.e., p reads (-, r'') from the register of every leader in line 3 of that iteration. Since p invokes WRITE $(\bot, r')$  in line 10, p reads (-, r') from R[p] in line 3 by time t. So, by definition of leaders, the leaders that p sees in line 3 have  $r'' \ge r'$ ; since  $r' \ge r$ , we have  $r'' \ge r$ .

Since no process invokes WRITE $(\bar{v}, r)$  by time t, and  $r'' \ge r$ , by Lemma 8, no process invokes WRITE $(\bar{v}, r'')$  by time t. So, since the shared registers are regular, p cannot read  $(\bar{v}, r'')$  from any register R[-] in line 3 by time t.

Since p invokes WRITE $(\perp, r')$  in line 10, by the condition of line 7, p must see that the leaders do not agree. So, since p does not read  $(\bar{v}, r'')$  from any register R[-] in line 3, p sees the leaders do not agree because it reads  $(\perp, r'')$  from the register  $R[\ell]$  for at least one leader  $\ell$  by time t. Since  $R[\ell]$  is a regular register,  $\ell$  invokes WRITE $(\perp, r'')$  before p completes its reading of  $R[\ell]$  in line 3. So,  $\ell$  invokes WRITE $(\perp, r'')$  with  $r'' \geq r$  before p invokes WRITE $(\perp, r')$  in line 10, and  $\ell$  does so by time t — a contradiction since p is the first process that invokes WRITE $(\perp, r')$  with  $r' \geq r$  by time t.

By Lemmas 8 and 9, and Observation 5(a), we have the following:

**Corollary 10.** For all  $r \ge 1$ , if no process invokes  $WRITE(\bar{v}, r)$ , then for all  $r' \ge r$ , every process that invokes WRITE(-, r') invokes WRITE(v, r').

**Definition 11.** If a process p executes line 6 when R[p] = (v, r), we say that p decides v at round r.

We first show that the algorithm satisfies the Validity property.

**Lemma 12** (Validity). If a process decides v then some process proposes v.

*Proof.* Suppose, for contradiction, that some process p decides v but all the processes that propose a value, propose  $\bar{v}$ . So they all invoke  $\text{WRITE}(\bar{v}, 1)$ , and by Observation 5(c) no process invokes WRITE(v, 1). By Corollary 10, for all  $r \geq 1$ , every process that invokes WRITE(-, r) invokes  $\text{WRITE}(\bar{v}, r)$ . So the register R[p] can only contain the value  $\bar{v}$  or  $\bot$ . Note that when p decides (this occurs in line 6), p decides a value x only if x is in R[p] and  $x \neq \bot$ . Thus p can only decide  $\bar{v}$  — a contradiction.  $\Box$ 

We now proceed to show that the algorithm satisfies the **Agreement** property.

**Lemma 13.** For all round  $r \ge 1$ , if some process p decides v at round r, no process invokes WRITE $(\bar{v}, r)$ .

Proof. For r = 1: Suppose some process p decides v at round 1. By Definition 11, this means that p has R[p] = (v, 1) when it executes line 6. Since initially  $R[p] = (\bot, 0)$ , by the condition of line 5, p reads (v, 1) from the register of every process in line 3. Since the registers are regular, every process invokes WRITE(v, 1). By Observation 5(c), no process invokes WRITE $(\bar{v}, 1)$ . Thus, by Corollary 10, for all  $r \ge 1$ , no process invokes WRITE $(\bar{v}, r)$ .

For  $r \ge 2$ : Suppose, for contradiction, that some process p decides v at round r, but some process invokes WRITE $(\bar{v}, r)$ . Let q be the *first* process that invokes WRITE $(\bar{v}, r)$ .

Since p decides v at round r in some while iteration, by Definition 11, p executes line 6 when R[p] = (v, r); so p reads (v, r) from R[p] in line 3 in that iteration. So, since R[p] is a regular register, it is clear that the following holds:

**Claim 13.1.** p completes WRITE(v, r) before p starts reading registers in line 3 of the while iteration where p decides v at round r.

Since  $r \ge 2$ , q invokes WRITE $(\bar{v}, r)$  by executing either (1) line 8 or (2) line 12. We now prove that both cases are impossible (and so the lemma holds):

• Case 1: q invokes WRITE $(\bar{v}, r)$  by executing line 8. Consider the while iteration in which q invokes WRITE $(\bar{v}, r)$  by executing line 8. Process q reads all the registers in line 3 of that iteration.

**Claim 13.2.** q is a leader and q reads  $(\bar{v}, r-1)$  from the register of every leader in line 3.

Proof. Since q invokes WRITE $(\bar{v}, r)$  in line 8 of that iteration, q previously reads (-, r - 1) from R[q] in line 3; moreover, by the condition of line 7, q reads  $(\bar{v}, r')$  for some r' from the register of every leader. So, by the definition of leaders,  $r' \ge r - 1$ . By the definition of q, no process invokes WRITE $(\bar{v}, r)$  before q invokes WRITE $(\bar{v}, r)$ , and so no process invokes WRITE $(\bar{v}, r)$  before q completes reading registers in line 3. By Lemma 8, no process invokes WRITE $(\bar{v}, j)$  for any  $j \ge r$  before q completes reading registers in line 3. Thus, since q reads  $(\bar{v}, r')$  with  $r' \ge r - 1$  from every leader's register in line 3, and the registers are regular, q reads  $(\bar{v}, r-1)$  from every leader's register. Recall that q reads (-, r - 1) from R[q] in line 3. So, by the definition of leaders, q is a leader.

By Claim 13.2, q reads  $(\bar{v}, r-1)$  from R[q] in line 3. Since R[q] is a regular register, q previously invoked WRITE $(\bar{v}, r-1)$ . Therefore we have:

**Claim 13.3.** q completes WRITE $(\bar{v}, r-1)$  before q starts reading registers in line 3.

**Claim 13.4.** q completes WRITE $(\bar{v}, r-1)$  before p completes WRITE(v, r).

Proof. From Claim 13.2, q reads (-, r') with some  $r' \leq r-1$  from R[p] in line 3. Since  $r' \leq r-1$ , by Observation 5(d), p invokes WRITE(-, r') before invoking WRITE(v, r). Since q reads (-, r') from R[p], q starts reading registers in line 3 before p completes WRITE(v, r). By Claim 13.3, q completes WRITE $(\bar{v}, r-1)$  before p completes WRITE(v, r).

Now consider the while iteration in which p decides v at round r.

**Claim 13.5.**  $p \text{ reads } (\bar{v}, r') \text{ or } (\bot, r') \text{ with } r' = r - 1 \text{ or } r \text{ from } R[q] \text{ in line 3 of the while iteration where } p \text{ decides } v \text{ at round } r.$ 

*Proof.* By Claim 13.4, q completes WRITE $(\bar{v}, r - 1)$  before p starts reading registers in line 3. Since R[q] is a regular register, by Observation 5(d), p reads (-, r') with  $r' \ge r - 1$  from R[q] in line 3. Since p decides v at round r in that iteration, (1) p has R[p] = (v, r) in line 3, and (2) by the condition of line 5, p is a leader. Thus, p does not read (-, j) for any j > r from any register in line 3. This implies that p reads (-, r') with r' = r - 1 or r from R[q] in line 3 in that iteration.

By the definition of q, process q invokes WRITE $(\bar{v}, r)$ ; by Claim 13.3, q completes WRITE $(\bar{v}, r-1)$ . So, by Observation 5(c), q does not invoke WRITE(v, r') with r' = r - 1 or r. Since R[q] is a regular register, when p reads (-, r') from R[q] in line 3, p reads  $(\bar{v}, r')$  or  $(\bot, r')$  with r' = r - 1 or r.

When p executes line 5 with R[p] = (v, r), by Claim 13.5, p sees that it disagrees with process q, and q trails by at most one round, and so p does not decide in line 6 — a contradiction.

• Case 2: q invokes WRITE $(\bar{v}, r)$  by executing line 12. Consider the while iteration in which q invokes WRITE $(\bar{v}, r)$  by executing line 12.

**Claim 13.6.** q completes WRITE $(\perp, r-1)$  before it starts reading registers in line 3.

*Proof.* Since q invokes WRITE $(\bar{v}, r)$  by executing line 12, by the condition of line 9, q reads  $(\perp, r-1)$  from R[q] in line 3. Thus, since R[q] is a regular register, q completes WRITE $(\perp, r-1)$  before it starts reading registers in line 3.

**Claim 13.7.** q reads (-, r - 1) from the register of every leader in line 3.

Proof. Since q invokes WRITE $(\bar{v}, r)$  by executing line 12, q must see that the leaders do not agree on any value  $v^*$  in line 7. Thus, for some r', either q reads both (v, r') and  $(\bar{v}, r')$  from the leaders' registers in line 3, or q reads  $(\perp, r')$  from at least one leader's register in line 3. So, for some leader  $\ell$ , q reads  $(\perp, r')$  or  $(\bar{v}, r')$  from  $R[\ell]$  in line 3. By Claim 13.6 and the definition of leaders,  $r' \geq r - 1$ . By the definition of q, no process invokes WRITE $(\bar{v}, r)$  before q invokes WRITE $(\bar{v}, r)$ , and so no process invokes WRITE $(\bar{v}, r)$  before q completes reading registers in line 3. So, by Lemma 8 and Lemma 9, no process invokes WRITE $(\bar{v}, j)$  or WRITE $(\perp, j)$  for any  $j \geq r$ before q completes reading registers in line 3. Since q reads  $(\perp, r')$  or  $(\bar{v}, r')$  with  $r' \geq r - 1$  from  $R[\ell]$  in line 3, r' = r - 1. Since  $\ell$  is a leader, q reads (-, r - 1) from the register of every leader in line 3.

**Claim 13.8.** q completes WRITE $(\perp, r-1)$  before p completes WRITE(v, r).

*Proof.* From Claim 13.7, q reads (-, r') with some  $r' \leq r-1$  from R[p] in line 3. Since  $r' \leq r-1$ , by Observation 5(d), p invokes WRITE(-, r') before invoking WRITE(v, r). Since q reads (-, r') from R[p], q starts reading registers in line 3 before p completes WRITE(v, r). By Claim 13.6, q completes WRITE $(\bot, r-1)$  before p completes WRITE(v, r).

Now consider the while iteration in which p decides v at round r.

**Claim 13.9.** p reads  $(\perp, r-1)$ ,  $(\bar{v}, r)$  or  $(\perp, r)$  from R[q] in line 3 of the while iteration where p decides v at round r.

*Proof.* By Claim 13.8, q completes WRITE $(\perp, r-1)$  before p starts reading registers in line 3. Since R[q] is a regular register, by Observation 5(d), p reads (-, r') with  $r' \ge r-1$  from R[q] in line 3. Since p decides v at round r in that iteration, (1) p has R[p] = (v, r) in line 3, and (2) by the condition of line 5, p is a leader. Thus, p does not read (-, j) for any j > r from any register in line 3. This implies p reads (-, r') with r' = r-1 or r' = r from R[q] in line 3.

By Observation 5(e), q completes WRITE(v, r - 1) or WRITE $(\bar{v}, r - 1)$  before it completes WRITE $(\perp, r - 1)$ . Recall that p starts reading registers in line 3 after it completes WRITE(v, r). So, by Claim 13.8 p starts reading registers in line 3 after q completes WRITE $(\perp, r - 1)$ . Thus, since R[q] is a regular register, if r' = r - 1, then p must read  $(\perp, r - 1)$  from R[q] in line 3. Since q invokes WRITE $(\bar{v}, r)$ , by Observation 5(c), q does not invoke WRITE(v, r). Thus, since R[q] is a regular register, if r' = r, then p must read  $(\bar{v}, r)$  or  $(\perp, r)$  from R[q] in line 3. Therefore, p reads  $(\perp, r - 1), (\bar{v}, r)$  or  $(\perp, r)$  from R[q] in line 3.

When p executes line 5 with R[p] = (v, r), by Claim 13.9, p sees that it disagrees with process q, and q trails by at most one round, and so p does not decide in line 6 — a contradiction.

Since both cases lead to a contradiction the lemma holds.

**Lemma 14** (Agreement). If some process p decides v, no process decides  $\bar{v}$ .

*Proof.* Assume, for contradiction, a process p decides v at round r with  $r \ge 1$  and a process  $q \ne p$  decides  $\bar{v}$  at round r' with  $r' \ge 1$ . Without loss of generality, assume  $r' \ge r$ . Since p decides v at round r, by Lemma 13, no process invokes  $\text{WRITE}(\bar{v}, r)$ . So, by Corollary 10, every process that invokes WRITE(-, r'') for any  $r'' \ge r$  invokes WRITE(v, r'') (\*). Since q decides  $\bar{v}$  at round r' in some while iteration, by Definition 11, q reads  $(\bar{v}, r')$  from R[q] in line 3 of that iteration. Since R[q] is a regular register, q invokes  $\text{WRITE}(\bar{v}, r')$ . By (\*), r' < r — a contradiction to  $r' \ge r$ .

We now proceed to show that the algorithm satisfies the **Termination** property with probability 1.

**Observation 15.** For all  $r \ge 1$ , if a correct process p does not decide a value at any round  $r' \le r$ , then p eventually invokes WRITE(-, r).

**Lemma 16.** For all  $r \ge 1$ , if no process invokes WRITE $(\bar{v}, r)$ , then every correct process that invokes WRITE(-, r + 1) decides v at round r + 1.

Proof. Assume, for contradiction, there is a round  $r \ge 1$  such that no process invokes WRITE $(\bar{v}, r)$ , some correct process x invokes WRITE(-, r + 1), but x does not decide v at round r + 1. Since no process invokes WRITE $(\bar{v}, r)$ , by Corollary 10, x invokes WRITE(v, r + 1). By Observation 5(c), x never invokes WRITE $(\bar{v}, r + 1)$ . So x cannot decide  $\bar{v}$  at round r + 1. Since x does not decide v or  $\bar{v}$  at round r + 1, and x invokes WRITE(v, r + 1), x must fail the condition in line 5 with (v, r + 1) in its register, i.e., with R[x] = (v, r + 1). Let p be the first process that fails the condition in line 5 with (v, r + 1) in its register, i.e., with R[p] = (v, r + 1).

Process p does so in line 5 of some while iteration. Since R[p] is a regular register, when p reads all the registers in line 3 in this iteration, p reads (v, r+1) from R[p]. Since p fails the condition in line 5, when p reads the registers R[-] in line 3, p sees that (1) p is not a leader, or (2) p is a leader but some process that trails p by less than 2 rounds disagrees with p; i.e., there is a process y such that p reads  $(\bar{v}, r')$  or  $(\perp, r')$  from register R[y] in line 3 with r' = r or r' = r + 1. We now prove that both cases are impossible (and so the lemma holds):

**Case 1:** p is not a leader. Since p reads (v, r + 1) from R[p] in line 3, and p is not a leader, there must be at least one process  $q \neq p$  such that p reads (-, r'') with r'' > r + 1 from R[q]. Since R[q] is a regular register, q invokes WRITE(-, r'') before p completes reading R[q] in line 3. Thus, q invokes WRITE(-, r'') before p fails the condition in line 5 with R[p] = (v, r + 1) (\*).

Since r'' > r+1, q must invoke WRITE(-, r+1) before invoking WRITE(-, r''). Since by assumption no process invokes WRITE $(\bar{v}, r)$ , by Corollary 10, q invokes WRITE(v, r+1). So q fails the condition in line 5 with R[q] = (v, r+1) before invoking WRITE(-, r'') with r'' > r+1. Thus, by (\*) q fails the condition in line 5 with R[q] = (v, r+1) before p fails the condition in line 5 with R[p] = (v, r+1). Since  $q \neq p$ , this contradicts the definition of p.

**Case 2:** There is a process y such that p reads  $(\bar{v}, r')$  or  $(\bot, r')$  from register R[y] in line 3 with r' = r or r' = r + 1. Since R[y] is a regular register, process y invokes  $\text{WRITE}(\bar{v}, r')$  or  $\text{WRITE}(\bot, r')$  with r' = r or r' = r + 1. This contradicts Corollary 10 since, by assumption, no process invokes  $\text{WRITE}(\bar{v}, r)$ .

**Lemma 17.** Suppose some process completes a WRITE(-, r - 1) operation for some round  $r \ge 2$ . Let WRITE(v, r - 1) be the first WRITE(-, r - 1) operation that completes.<sup>2</sup> If all the processes that invoke a WRITE(flip(), r) operation do so with flip() = v, then no process invokes WRITE $(\bar{v}, r)$ .

*Proof.* Suppose some process completes a WRITE(-, r - 1) operation for some round  $r \geq 2$ . Let WRITE(v, r - 1) be the *first* WRITE(-, r - 1) operation that completes, and p be the process that completes this WRITE(v, r - 1) operation. Assume that some process invokes WRITE $(\bar{v}, r)$ ; we now prove that some process invokes WRITE(flip(), r) operation with  $flip() = \bar{v}$ , and so the lemma holds.

Let q be the first process that invokes  $WRITE(\bar{v}, r)$ ; note that q could be p. According to the algorithm, q invokes  $WRITE(\bar{v}, r)$  by executing either (1) line 8 or (2) line 12. So there are two cases:

- Case 1: q invokes WRITE $(\bar{v}, r)$  by executing line 12. In this case, q invokes WRITE(flip(), r) with  $flip() = \bar{v}$ , as we want to show.
- Case 2: q invokes WRITE $(\bar{v}, r)$  by executing line 8. Consider the while iteration in which q invokes WRITE $(\bar{v}, r)$  by executing line 8.

Claim 17.1. q reads (-, r'') with  $r'' \ge r - 1$  from R[p] in line 3.

Proof. Since q invokes  $\text{WRITE}(\bar{v}, r)$  in line 8, it is clear that q starts reading registers in line 3 after it completes its WRITE(-, r - 1) operation. Since p is the first process that completes a WRITE(-, r - 1) operation, q starts reading registers in line 3 after p completes its WRITE(v, r - 1) operation. Since R[p] is a regular register, by Observation 5(d), q reads (-, r'') with  $r'' \ge r - 1$  from R[p] in line 3.

Let r' be the round of the leaders that q sees in line 3, i.e., q reads (-, r') from all the leaders' registers in line 3. By Claim 17.1 and the definition of leaders,  $r' \ge r - 1$ . Since q invokes WRITE $(\bar{v}, r)$  in line 8, the leaders that q sees agree on  $\bar{v}$ ; more precisely, q reads  $(\bar{v}, r')$  from all the leaders' registers.

Claim 17.2. r' = r - 1.

*Proof.* Since q completes reading all the registers in line 3 before it invokes WRITE $(\bar{v}, r)$  in line 8, by the choice of q, q completes reading the registers before any process invokes WRITE $(\bar{v}, r)$ . In other words, no process invokes WRITE $(\bar{v}, r)$  before q completes reading the registers in line 3. By Lemma 8, no process invokes WRITE $(\bar{v}, j)$  with  $j \ge r$  before q completes reading the registers in line 3. Thus, since the registers are regular, q does not read  $(\bar{v}, j)$  with  $j \ge r$  from any register in line 3. Since q reads  $(\bar{v}, r')$  with  $r' \ge r - 1$  from the leaders' registers, r' = r - 1.

From Claim 17.2, q reads  $(\bar{v}, r-1)$  from the register of every leader in line 3. So, by the definition of leaders and Claim 17.1, r'' = r - 1 and so p must be one of the leaders that q sees, i.e., q reads  $(\bar{v}, r-1)$  from R[p] in line 3. Since R[p] is a regular register, p invokes WRITE $(\bar{v}, r-1)$ . Thus, by the definition of p, p invokes both WRITE(v, r-1) and WRITE $(\bar{v}, r-1)$  — a contradiction to Observation 5(c). Therefore, Case 2 is impossible.

Since in Case 1, process q invokes WRITE(flip(), r) with  $flip() = \bar{v}$  and Case 2 is impossible, the lemma holds.

**Lemma 18.** Suppose some process completes a WRITE(-, r - 1) operation for some round  $r \ge 2$ . Let WRITE(v, r - 1) be the first WRITE(-, r - 1) operation that completes. If all the processes that invoke a WRITE(flip(), r) operation do so with flip() = v, then every correct process decides at some round  $r' \le r + 1$ .

<sup>&</sup>lt;sup>2</sup>Note that from Observation 5(e),  $v \neq \bot$ .

Proof. Suppose some process completes a WRITE(-, r - 1) operation for some round  $r \ge 2$ , and let WRITE(v, r-1) be the first WRITE(-, r-1) operation that completes. Since all the processes that invoke a WRITE(flip(), r) operation do so with flip() = v, by Lemma 17, no process invokes WRITE $(\bar{v}, r)$ . Then by Lemma 16, every correct process that invokes WRITE(-, r + 1) decides v at round r + 1. By Observation 15, every correct process that does not invoke WRITE(-, r + 1) must decide at some round  $r' \le r + 1$ . So every correct process decides at some round  $r' \le r + 1$ .

**Lemma 19** (Termination). The algorithm terminates with probability 1, even against a strong adversary.

Proof. Consider any round  $r \ge 2$  such that some correct processes have not yet decided, i.e., they have not decided at any round  $r' \le r$ . Thus, some process has not decided at any round  $r' \le r - 1$ . By Observation 15, this process eventually invokes WRITE(-, r-1), and since it is correct, it also completes WRITE(-, r-1). Suppose the first WRITE(-, r-1) operation that completes is op = WRITE(v, r-1). Since any invocation of WRITE(flip(), r) can occur only after op completes, the value v is set before any invocation of WRITE(flip(), r), i.e., before any coin flip at round r. Since a strong adversary cannot control coin flips, it cannot prevent the coin flips at round r to match the value v that was set before the first coin toss at round r. Thus, there is a positive probability  $\epsilon \ge 2^{-n}$  that all the processes that invoke a WRITE(flip(), r) operation do so with flip() = v. So, by Lemma 18, with probability  $\epsilon$  every correct process decides at some round  $r' \le r + 1$ ; i.e., with probability  $\epsilon$  the algorithm terminates by round r + 1. Since this holds for every round  $r \ge 2$  such that some correct processes have not decided at any round  $r' \le r$ , the algorithm terminates with probability 1, even against a strong adversary.  $\Box$ 

By Lemmas 12, 14, and 19, the algorithm satisfies Validity, Agreement, and Termination with probability 1. So we have:

**Theorem 20.** The randomized consensus algorithm of Aspnes and Herlihy shown in Algorithm 1 works with regular SWMR registers against a strong adversary.

## Acknowledgements

We thank Kevan M. Hollbach for his helpful comments on this paper.

## References

- J. Aspnes and M. Herlihy. Fast randomized consensus using shared memory. *Journal of Algorithms*, 11(3):441–461, Sept. 1990.
- [2] W. Golab, L. Higham, and P. Woelfel. Linearizable implementations do not suffice for randomized distributed computation. In *Proceedings of the Forty-Third Annual ACM Symposium on Theory* of Computing, STOC '11, page 373–382, New York, NY, USA, 2011. Association for Computing Machinery.
- [3] M. Herlihy and J. Wing. Linearizability: A correctness condition for concurrent objects. ACM Trans. Program. Lang. Syst., 12(3):463–492, Jul 1990.
- [4] M. C. Lout and H. Abu-Amara. Memory requirements for agreement among unreliable asynchronous processes. 1987.

# A Appendix

We now briefly explain how the algorithm in [1] was shown to terminate with probability 1 under the assumption that registers are *atomic* (where each operation is instantaneous), and why this proof does not hold if we replace them with *linearizable* (implementations of) registers (where each operation spans an interval).

The following Lemma, shown in [1], is central to the algorithm's original proof of termination:

**Lemma A.1.** Let v be the first value written at round r - 1. If all the processes that flip a coin at round r get the value v,<sup>3</sup> then all processes have the same preference at round r.

The termination argument given in [1] uses Lemma A.1, and intuitively it goes as follows. Before any process flips a coin at any round r, at least one process writes some value at round r-1. Since registers are atomic, the *first value* written by a process at round r-1, say value v, is *fixed before* any process flips a coin at round r. Thus, even a strong adversary cannot prevent any process that flips a coin at round r to get the value v that was determined before any of these coin tosses. So all the processes that flip a coin at round r get the value v with some positive probability  $\epsilon$  ( $\epsilon \ge 2^{-n}$  if the system has n processes). The above argument is the core of proof of termination with probability 1, because by Lemma A.1, if this happens at any round r then all processes have the *same* preference at round r, and (as shown in [1]) this causes the algorithm to terminate by round r + 2.

When the algorithm's atomic registers are replaced with linearizable registers, the above argument, however, fails: in a nutshell, even though Lemma A.1 still holds, it can no longer be used to prove that the algorithm terminates. Intuitively, this is because it is no longer true that the first value written by a process at round r - 1 is fixed before any process flips a coin at round r: as we explain below, with linearizable registers, a stronger adversary can *first* see the result of some coin toss at round r, and *then* control which write operation is linearized *first* among the write operations of round r - 1.



Figure 1: Adversary controlling which value is the first one to be written in round r-1

With linearizable registers, every register operation spans an *interval* that starts with an invocation and is followed by a response. A strong adversary can take advantage of this by scheduling processes and operations as follows (see Figure 1):

- (a) some processes invoke WRITE(0, r 1) and some processes invoke WRITE(1, r 1), and all the processes invoke these WRITE(-, r 1) operations at the same time;
- (b) one of these operations completes, say the operation  $w_p = \text{WRITE}(0, r-1)$  by process p;
- (c) after completing the operation  $w_p$ , p sees both (0, r 1) and (1, r 1) from the registers that it reads in line 3, and so p eventually flips a coin in line 12 and gets some value  $c \in \{0, 1\}$  at round r;
- (d) if p gets c = 0, then the adversary schedules one of the concurrent WRITE(1, r 1) operations (namely the write by process q in Figure 1) so that it is the write that is linearized first among all the WRITE(-, r - 1) operations; if p gets c = 1, then the adversary schedules  $w_p = \text{WRITE}(0, r - 1)$ to be the write that is linearized first among all the WRITE(-, r - 1) operations.

So in both cases, the adversary can schedule operations to ensure that the first value written at round r-1 is not equal to the coin that p flips at round r.

Thus the core argument of the proof of termination given in [1] for atomic registers does not hold when registers are replaced with linearizable (implementations of) registers: even though Lemma A.1 still holds, the adversary can schedule processes and operations so that it can never be applied.

<sup>&</sup>lt;sup>3</sup>This means every process that writes (flip(), r) to its atomic register does so with flip() = v.

Finally, it is also worth noting that if registers are *strongly linearizable* [2], then the original proof of termination given in [1] holds again: by the time any process flips a coin in line 12 at round r, the WRITE(-, r - 1) operation that is linearized first has already been determined.